From 62483b4b5a1b705f600293f68a393ec409452677 Mon Sep 17 00:00:00 2001 From: Fabian Niesen Date: Thu, 12 Sep 2024 17:49:02 +0200 Subject: [PATCH] Add additional Portchecks --- Network/Check-Network.ps1 | 152 +++++++++++++++++++++++++------------- 1 file changed, 102 insertions(+), 50 deletions(-) diff --git a/Network/Check-Network.ps1 b/Network/Check-Network.ps1 index ed79cb9..3ed3b47 100644 --- a/Network/Check-Network.ps1 +++ b/Network/Check-Network.ps1 @@ -35,56 +35,15 @@ 0.1 FN 12.10.2022 Initial version. .LINK - https://github.com/FabianNiesen/SecureAD + https://github.com/FabianNiesen/ #> param ( - [int]$targetMTU = 8800, + [int]$targetMTU = 8000, [int]$mtuoh = 28, [string]$DNSDomain = (Get-DnsClientGlobalSetting).SuffixSearchList[0], [string]$logpath = "C:\Windows\System32\LogFiles" ) -Set-Location $PSScriptRoot -$ScriptName = $myInvocation.MyCommand.Name -$ScriptName = $ScriptName.Substring(0, $scriptName.Length - 4) -$LogName = (Get-Date -UFormat "%Y%m%d-%H%M") + "-" + $scriptName + "_" + $ENV:COMPUTERNAME +".log" -Start-Transcript -Path "$logpath\$LogName" -Append -IF ( $DNSDomain -like "") - { - Write-Warning "DNSDomain not Valid. Please use the Parameter >-DNSDomain domain.tld<" - Break - } -Write-Verbose "Scan for Networkinterfaces" -$networkConfig = Get-WmiObject Win32_NetworkAdapterConfiguration -filter "ipenabled = 'true'" -Write-Verbose "Get IPv6 Status (Based on Microsoft KB929852)" -Try { -$IPv6State = Get-ItemPropertyValue "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" "DisabledComponents" -ErrorAction SilentlyContinue -} -Catch { $IPv6State = -1 } -If ($IPv6State -eq 50 ) {Write-Output "IPv6 diabled on Interfaces and prefer IPv4 over IPv6 (Based on Microsoft KB929852)"} else { Write-Warning "IPv6 is not proper disabled!"} -Write-Output " " -Write-Output "DNSSearchSuffix: $((Get-DnsClientGlobalSetting).SuffixSearchList)" -Foreach ( $nc in $networkConfig ) -{ - $NIPI = Get-NetIPInterface -InterfaceIndex $($nc.InterfaceIndex) -AddressFamily IPv4 - Write-Output " " - Write-Output "InterfaceIndex: $($nc.InterfaceIndex) - InterfaceAlias: $($NIPI.ifAlias)" - Write-Output "Description: $($nc.Description)" - Write-Output "DnsDomain: $($nc.DnsDomain)" - Write-Output "DHCP is $($NIPI.Dhcp)" - Write-Verbose "Get DNSDomain" - Write-Verbose "Get NetBios over TCPIP" - $NetBios = $nc.TcpipNetbiosOptions - If ( $NetBios -eq 2) { write-output "NetBios over TCP/IP is disabled" } ELSE { Write-Warning "NetBios over TCP/IP is not disabled" } - $IP = $nc.IPAddress[0] - $DNSServer1 = $nc.DNSServerSearchOrder[0] - #Testen - IF ( $DNSServer1 -match $IP -or $DNSServer1 -match "127.*") { Write-Warning "Please Check DNS Serversetting, primary DNS is local Server" } - $MTU = $NIPI.NlMtu - IF ($targetMTU -eq $MTU ) { Write-Output "MTU as expected ($MTU)" } else { Write-warning "MTUSize is: $MTU expected is $targetMTU" } -} -# Test Domain access - #region EVOTec Test LDAP #Code for this region from https://evotec.xyz/testing-ldap-and-ldaps-connectivity-with-powershell/ under MIT license #GitHub: https://github.com/EvotecIT/ADEssentials @@ -156,26 +115,86 @@ Function Test-LDAP { } } } -#endregion +#endregion EVOTec Test LDAP +Function Test-UDP { + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)][string]$target, + [Parameter(Mandatory = $true)][int]$UDPport + ) + try { + $udpClient = New-Object System.Net.Sockets.UdpClient + $udpClient.Connect($target, $UDPport) + Write-Verbose "UDP-Port $UDPport ist auf $target verfügbar." + $udpClient.Close() + $Success = $true + } catch { + Write-Verbose "Es konnte keine Verbindung zu $target auf UDP-Port $UDPport hergestellt werden." + $Success = $false + } + return $Success +} +Set-Location $PSScriptRoot +$ScriptName = $myInvocation.MyCommand.Name +$ScriptName = $ScriptName.Substring(0, $scriptName.Length - 4) +$LogName = (Get-Date -UFormat "%Y%m%d-%H%M") + "-" + $scriptName + "_" + $ENV:COMPUTERNAME +".log" +Start-Transcript -Path "$logpath\$LogName" -Append +IF ( $DNSDomain -like "") + { + Write-Warning "DNSDomain not Valid. Please use the Parameter >-DNSDomain domain.tld<" + Break + } +Write-Verbose "Scan for Networkinterfaces" +$networkConfig = Get-WmiObject Win32_NetworkAdapterConfiguration -filter "ipenabled = 'true'" +Write-Verbose "Get IPv6 Status (Based on Microsoft KB929852)" +Try { +$IPv6State = Get-ItemPropertyValue "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" "DisabledComponents" -ErrorAction SilentlyContinue +} +Catch { $IPv6State = -1 } +If ($IPv6State -eq 50 ) {Write-Output "IPv6 diabled on Interfaces and prefer IPv4 over IPv6 (Based on Microsoft KB929852)"} else { Write-Warning "IPv6 is not proper disabled!"} +Write-Output " " +Write-Output "DNSSearchSuffix: $((Get-DnsClientGlobalSetting).SuffixSearchList)" +Foreach ( $nc in $networkConfig ) +{ + $NIPI = Get-NetIPInterface -InterfaceIndex $($nc.InterfaceIndex) -AddressFamily IPv4 + Write-Output " " + Write-Output "InterfaceIndex: $($nc.InterfaceIndex) - InterfaceAlias: $($NIPI.ifAlias)" + Write-Output "Description: $($nc.Description)" + Write-Output "DnsDomain: $($nc.DnsDomain)" + Write-Output "DHCP is $($NIPI.Dhcp)" + Write-Verbose "Get DNSDomain" + Write-Verbose "Get NetBios over TCPIP" + $NetBios = $nc.TcpipNetbiosOptions + If ( $NetBios -eq 2) { write-output "NetBios over TCP/IP is disabled" } ELSE { Write-Warning "NetBios over TCP/IP is not disabled" } + $IP = $nc.IPAddress[0] + $DNSServer1 = $nc.DNSServerSearchOrder[0] + #Testen + IF ( $DNSServer1 -match $IP -or $DNSServer1 -match "127.*") { Write-Warning "Please Check DNS Serversetting, primary DNS is local Server" } + $MTU = $NIPI.NlMtu + IF ($targetMTU -eq $MTU ) { Write-Output "MTU as expected ($MTU)" } else { Write-warning "MTUSize is: $MTU expected is $targetMTU" } +} +# Test Domain access +Write-Output " " +Write-Output "Test DC connection" +Write-Output "============================================" $DCs2 = (((nltest /dclist:$DNSDomain).trim() | Select-String -Pattern ".$DNSDomain") | Select-Object -skip 1 ) $DCs2 = ($DCs2 -split " ") -match ".$DNSDomain" - +Write-Output "Found $DCs2" ForEach ($DC in $DCs2) { [String]$IP = (Resolve-DNSname $DC -Type A ).IPAddress + Write-Output " " Write-Output "Start Test for $DC - $IP" Write-Output "============================================" - IF (Test-Connection -ComputerName $DC -Count 1 -ErrorAction SilentlyContinue | Out-Null ) + IF (Test-Connection -ComputerName $DC -Count 1 -ErrorAction SilentlyContinue ) { Write-Output "$DC is reachable with ICMP" Try { Get-ChildItem -Path \\$DC\sysvol\$DNSDomain\ -ErrorAction stop | Out-Null Write-Output "Sysvol on $DC accessable" } - catch - {Write-Warning "Sysvol on $DC NOT accessable"} - Test-LDAP $DC + catch {Write-Warning "Sysvol on $DC NOT accessable"} Write-Output "Testing MTU Size, asummed Overhead is $mtuoh." $MTUPing = ping $DC -n 1 -l 1400 -f IF ($MTUPing[2] -like "*fragmented*" ) { Write-Warning "$DC not reachable with MTU 1400" } ELSE { Write-Output "$DC is reachable with MTU 1400" } @@ -185,7 +204,40 @@ ForEach ($DC in $DCs2) IF ($MTUPing[2] -like "*fragmented*" ) { Write-Warning "$DC not reachable with local MTU $MTU" } ELSE { Write-Output "$DC is reachable with local MTU $MTU" } } ELSE { - Write-Warning "$DC is not reachable with ICMP" + Write-Warning "$DC is not reachable with ICMP at all" } + + Write-Output " " + Write-Output "Test Common TCP ports connection" + Write-Output "============================================" + Write-Output "WinRM (TCP 5985) : $((Test-NetConnection -ComputerName $DC -CommonTCPPort WINRM -ErrorAction SilentlyContinue -WarningAction SilentlyContinue ).TcpTestSucceeded)" + Write-Output "WinRMs (TCP 5986) : $((Test-NetConnection -ComputerName $DC -Port 5986 -ErrorAction SilentlyContinue -WarningAction SilentlyContinue ).TcpTestSucceeded)" + Write-Output "Kerberos (TCP 88) : $((Test-NetConnection -ComputerName $DC -Port 88 -ErrorAction SilentlyContinue -WarningAction SilentlyContinue ).TcpTestSucceeded)" + Write-Output "KerberosPW (TCP 464) : $((Test-NetConnection -ComputerName $DC -Port 464 -ErrorAction SilentlyContinue -WarningAction SilentlyContinue ).TcpTestSucceeded)" + Write-Output "DNS (TCP 53) : $((Test-NetConnection -ComputerName $DC -Port 53 -ErrorAction SilentlyContinue -WarningAction SilentlyContinue ).TcpTestSucceeded)" + Write-Output "RPC (TCP 135) : $((Test-NetConnection -ComputerName $DC -Port 135 -ErrorAction SilentlyContinue -WarningAction SilentlyContinue ).TcpTestSucceeded)" + Write-Output "SMB (TCP 445) : $((Test-NetConnection -ComputerName $DC -Port 445 -ErrorAction SilentlyContinue -WarningAction SilentlyContinue ).TcpTestSucceeded)" + Write-Output "Legacy NetBios (TCP 139) : $((Test-NetConnection -ComputerName $DC -Port 445 -ErrorAction SilentlyContinue -WarningAction SilentlyContinue ).TcpTestSucceeded)" + Write-Output " " + Write-Output "Test Common UDP ports connection (True might be filltered / silently droped!)" + Write-Output "============================================" + Write-Output "Kerberos (UDP 88) : $(Test-UDP -target $DC -UDPport 88 )" + Write-Output "DNS (UDP 53) : $(Test-UDP -target $DC -UDPport 53 )" + Write-Output "SMB (UDP 445) : $(Test-UDP -target $DC -UDPport 445 )" + Write-Output "W32Time / NTP (UDP 123) : $(Test-UDP -target $DC -UDPport 123 )" + Write-Output "Legacy NetBios (UDP 137) : $(Test-UDP -target $DC -UDPport 137 )" + Write-Output "Legacy NetBios (UDP 138) : $(Test-UDP -target $DC -UDPport 138 )" + + Write-Output " " + Write-Output "Test LDAP connection (Application Test)" + Write-Output "============================================" + Test-LDAP $DC + + Write-Output " " + Write-Output "Test SMB connection (might not work for not Domainjoined Computers)" + Write-Output "============================================" + Write-Output "Found Directories in SysVol: $(([System.IO.Directory]::GetDirectories($("\\"+$DC+"\SysVol"))).Count)" + Write-Output "Found Files in NetLogon: $(([System.IO.Directory]::GetFiles($("\\"+$DC+"\NetLogon"))).Count)" + } Stop-Transcript \ No newline at end of file